10 Practices to Secure the Supply Chain

NIST Drafting New Guidance to Mitigate Supply Chain Risk
10 Practices to Secure the Supply Chain

Guidance that identifies 10 overarching practices to mitigate supply chain risks is being developed by the National Institute of Standards and Technology.

See Also: How Tri-Counties Regional Center Secures Sensitive Files and Maintains HIPAA Compliance

Supply chain risks can occur when organizations purchase and implement information and communications technology products and services. "Supply chain risk is significant and growing," says Jon Boyens, a NIST senior advisor for information security who's co-authoring the new guidance, NIST Interagency Report 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems.

This is the second draft of IR 7622. In the latest version, NIST computer scientists pared to 10 from the 21 prescriptive practices to blunt supply chain risks described in the initial draft. They are:

  1. Uniquely identify supply chain elements, processes and actors;
  2. Limit access and exposure within the supply chain;
  3. Create and maintain the provenance of elements, processes, tools and data;
  4. Share information within strict limits;
  5. Perform supply chain risk management awareness and training;
  6. Use defensive design for systems, elements and processes;
  7. Perform continuous integrator review;
  8. Strengthen delivery mechanisms;
  9. Assure sustainment activities and processes; and
  10. Manage disposal and final disposition activities throughout the system or element life cycle.

Supply chain risk management, as described in the guidance, is a multidisciplinary practice with a number of interconnected enterprise processes that, when performed correctly, will help departments and agencies manage the risk of using information and communication technology products and services. The publication calls for procurement organizations to establish a coordinated team approach to assess the supply chain risk and to manage this risk by using technical and programmatic mitigation techniques.

Improving the supply chain is part of the federal government's Comprehensive National Cybersecurity Initiative, which states that managing risk requires a greater awareness of the threats, vulnerabilities and consequences associated with acquisition decisions.

"The growing sophistication of technology and increasing speed and scale of a complex, distributed global supply chain leave government agencies without a comprehensive way of managing or understanding the processes from design to disposal, and that increases the risk of exploitation through a variety of means including counterfeit materials, malicious software or untrustworthy products," according to a NIST statement that accompanied the latest draft.

NIST is basing IR 7622 on security practices and procedures it published along with those from the National Defense University and the National Defense Industrial Association. NIST is expanding the guidance to meet specific demands of the supply chain.

Before issuing the final guidance later this year, the authors of IR 7622 seek comments on the document, including prioritizing the supply chain risk management components. To help understand how the proposed process works, the authors want reviewers to consider how the practices could be applied to recent and upcoming procurement activities and provide comments on the practicality, feasibility, cost, challenges and successes. Comments should be sent to scrm-nist@nist.gov by May 25.


About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.